Applications setting the SSL_OP_MSIE_SSLV2_RSA_PADDING option (or theSSL_OP_ALL option, that implies it) can be forced by a third-party tofallback to the less secure SSL 2.0 protocol, even if both partiessupport the more secure SSL 3.0 or TLS 1.0 protocols.

Impact======

A man-in-the-middle attacker can weaken the encryption used tocommunicate between two parties, potentially revealing sensitiveinformation.

Workaround==========

If possible, disable the use of SSL 2.0 in all OpenSSL-enabledapplications.

This GLSA and any updates to it are available for viewing atthe Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200510-11.xml

Concerns?=========

Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttp://bugs.gentoo.org.